National Security Scheme, ENS

Technology has been an integral part of our daily lives for several years now. Our extensive use of it, along with the relentless evolution of disruptive technologies, poses a significant challenge to cybersecurity. This growing societal dependence on technology has increased the risks and threats associated with its use, requiring responses adapted to constantly evolving needs.

Challenges and threats

The challenges posed by technological dependence are the result of a number of interrelated factors, such as the evolution of cyber threats with the development of new techniques and tools to compromise the security of systems, networks, and data. This includes sophisticated malware, social engineering attacks, and advanced evasion techniques. Furthermore, with the proliferation of internet-connected devices in the Internet of Things (IoT), the cloud, and virtualization, the attack surface has expanded significantly. Every connected device represents a potential entry point for cybercriminals.

The massive accumulation of data caused by the digitization of information is another vulnerability we face as a society. Protecting this data, much of which is sensitive and private, is crucial to guaranteeing people’s privacy and preventing identity theft or phishing .

In light of the increase in cyber threats, governments, both at the European and national levels, have made an effort to increase cybersecurity levels by evolving regulations and standards that guarantee data security and privacy.

This effort has resulted in the updating of two key standards for cybersecurity in our country: Royal Decree 311/2022 , of May 3, which regulates the National Security Scheme (ENS) and the ISO 27001 standard Information security, cybersecurity and privacy protection & Information security management systems.

What is the National Security Scheme (ENS)?

The National Security Scheme (ENS) is a regulatory and reference framework, established in Spain, based on Spanish legislation and European regulations related to information security, with the objective of creating the necessary conditions of trust in the use of electronic means, through measures to guarantee the security of systems, data, communications and electronic services, allowing citizens and public administrations to exercise their rights and fulfill their duties through these means.

The ENS was created in 2010 with Royal Decree 3/2010, of January 8, which establishes the principles and requirements necessary to protect the confidentiality, integrity, availability and authenticity of information in public entities and bodies.

Key Changes of the new National Security Scheme (RO 311/2022)

In 2022, the previous decree was repealed and Royal Decree 311/2022, of May 3, came into force. This decree includes new objectives such as:

• The designation of an information security point of contact or person (POC) designated by the service provider
• Supply chain protection within service continuity, so that the supplier guarantees service provision in case of a contingency, a measure required in the HIGH category
• The new principle of continuous monitoring for the ongoing assessment of the security status of assets
• Notification of security incidents to CNN-CERT and INCIBE-CER
• Professionalism and training are required of those responsible for security within an organization, in addition to existing security training and awareness programs for all users. This should guarantee adequate training for security personnel and foster a security culture within the organization. It is worth noting that both the CCN and INAP offer awareness and training programs.
• New security measures are established , including mandatory measures and optional or reinforcement measures.
  • Cloud services
  • Interconnection of systems
  • Supply chain protection
  • Enhanced security measures at checkpoints
  • Grouping of alternative means in the control of service continuity.
  • Surveillance
  • Other devices connected to the network

The deadline for adapting to the new ENS for public and private entities that provide services or solutions to public administrations is until May 5, 2024.

Find out how our solutions can improve your organization’s security

The National Security Scheme (ENS) must be complied with in all services that the Administration provides to citizens, including services such as:

• Electronic offices
• Electronic records
• Information systems accessible electronically to citizens
• Information Systems for the exercise of rights
• Information Systems for the fulfillment of duties
• Information systems for gathering information and status of the administrative procedure

What benefits does the application and compliance with the ENS bring?

By establishing a common information security framework for the public sector, as well as for suppliers that collaborate with the Administration, the ENS guarantees consistency and uniformity in security management in different entities and bodies, establishing standards.

One of its main objectives is to address the security of all assets that make up an information system with a global approach to security : security of facilities, communications, software, system operation, users, etc.

The National Security Framework (ENS) establishes security measures and controls to help protect sensitive information, with the obligation to comply with applicable regulations regarding the protection of personal data, financial information, and other important assets. Furthermore, it promotes the identification, assessment, and management of information security risks , enabling public and private organizations to make informed decisions about how to effectively protect their assets.

In the face of potential cyberattacks or other problems, the ENS ensures that organizations can maintain the provision of essential services even in crisis situations , promoting business continuity.

Compliance with these standards promotes information security awareness and employee training, helping to create a security culture . Furthermore, it builds trust in the information management practices of public sector entities and organizations. Citizens and businesses can trust that their data will be handled securely.

The different levels of security contemplated in the ENS

The National Security Scheme (ENS) in Spain defines three security categories: Basic, Medium and High. This categorization of the system will be determined by the assessment that has been made of the information and services in their different security dimensions, establishing the system category, the highest value given to a security dimension.

The ENS itself defines in its Annex II the security measures that must be met, differentiating, as the previous royal decree already did, between organizational framework measures, operational measures and specific protection measures for each type of asset, in total, 73 measures whose application will depend on the category of the system, increasing their application from the Basic category to the High category, in which the 73 measures established in Annex II of the standard must be applied.

Vintegris is certified with the ENS HIGH level by applying the 73 safety controls required by the standard

The high level of the ENS offers greater protection and security for critical public sector information and ensures a more effective response to advanced threats.

Among its advantages we find:

• Greater protection of sensitive information : The high level of the ENS applies to high-class information, meaning that more rigorous protection is provided to the most critical and sensitive information in the public sector, with protective measures in place both when stored and in transit, including encryption.
• Improved resilience to advanced threats : High-level security measures are designed to deal with more sophisticated and persistent cyber threats, such as targeted or advanced attacks, requiring continuous monitoring
• Enhanced access control : At the highest level, stricter access controls are implemented, limiting who can access critical information. This significantly reduces the risk of unauthorized access.
• Robust continuity plan : More detailed business continuity and disaster recovery plans are required at the high level of the ENS, ensuring the availability of critical services in crisis situations.
• Greater emphasis on auditing and monitoring : The requirement for continuous monitoring and the performance of internal audits at a high level, which helps to detect and respond quickly to potential security threats or incidents.
• Greater public trust : Compliance with the high level of the ENS demonstrates a strong commitment to information security and can increase public trust in government services and information management.
• Advanced Incident Preparedness : A more detailed and effective incident response plan is required at the high level, enabling faster and more efficient action in the event of security incidents.

Although implementing these measures involves additional effort and cost in terms of implementation and maintenance, at Vintegris we value the advantages that this level of security brings to our customers.